From 1814aec611a5f9e03eceee81237ad3a3f51c954a Mon Sep 17 00:00:00 2001 From: "Dmitry V. Levin" Date: Wed, 26 Oct 2011 23:56:54 +0000 Subject: Fix whitespace issues Cleanup trailing whitespaces, indentation that uses spaces before tabs, and blank lines at EOF. Make the project free of warnings reported by git diff --check 4b825dc642cb6eb9a060e54bf8d69288fbee4904 HEAD --- modules/pam_selinux/Makefile.am | 3 +-- modules/pam_selinux/pam_selinux.c | 44 ++++++++++++++++----------------- modules/pam_selinux/pam_selinux_check.8 | 2 +- 3 files changed, 24 insertions(+), 25 deletions(-) (limited to 'modules/pam_selinux') diff --git a/modules/pam_selinux/Makefile.am b/modules/pam_selinux/Makefile.am index 5c83acb4..ef142f4e 100644 --- a/modules/pam_selinux/Makefile.am +++ b/modules/pam_selinux/Makefile.am @@ -10,7 +10,7 @@ EXTRA_DIST = README $(XMLS) pam_selinux.8 pam_selinux_check.8 \ if HAVE_LIBSELINUX TESTS = tst-pam_selinux - man_MANS = pam_selinux.8 + man_MANS = pam_selinux.8 endif XMLS = README.xml pam_selinux.8.xml @@ -40,4 +40,3 @@ noinst_DATA = README pam_selinux.8 README: pam_selinux.8.xml -include $(top_srcdir)/Make.xml.rules endif - diff --git a/modules/pam_selinux/pam_selinux.c b/modules/pam_selinux/pam_selinux.c index f99d433a..b777b01e 100644 --- a/modules/pam_selinux/pam_selinux.c +++ b/modules/pam_selinux/pam_selinux.c @@ -142,7 +142,7 @@ query_response (pam_handle_t *pamh, const char *text, const char *def, char **response, int debug) { int rc; - if (def) + if (def) rc = pam_prompt (pamh, PAM_PROMPT_ECHO_ON, response, "%s [%s] ", text, def); else rc = pam_prompt (pamh, PAM_PROMPT_ECHO_ON, response, "%s ", text); @@ -150,7 +150,7 @@ query_response (pam_handle_t *pamh, const char *text, const char *def, if (*response == NULL) { rc = PAM_CONV_ERR; } - + if (rc != PAM_SUCCESS) { pam_syslog(pamh, LOG_WARNING, "No response to query: %s", text); } else if (debug) @@ -190,11 +190,11 @@ manual_context (pam_handle_t *pamh, const char *user, int debug) /* Allow the user to enter each field of the context individually */ if (query_response(pamh, _("role:"), NULL, &response, debug) == PAM_SUCCESS && response[0] != '\0') { - if (context_role_set (new_context, response)) + if (context_role_set (new_context, response)) goto fail_set; - if (get_default_type(response, &type)) + if (get_default_type(response, &type)) goto fail_set; - if (context_type_set (new_context, type)) + if (context_type_set (new_context, type)) goto fail_set; _pam_drop(type); } @@ -283,7 +283,7 @@ config_context (pam_handle_t *pamh, security_context_t defaultcon, int use_curre while (1) { if (query_response(pamh, - _("Would you like to enter a different role or level?"), "n", + _("Would you like to enter a different role or level?"), "n", &response, debug) == PAM_SUCCESS) { resp_val = response[0]; _pam_drop(response); @@ -293,22 +293,22 @@ config_context (pam_handle_t *pamh, security_context_t defaultcon, int use_curre if ((resp_val == 'y') || (resp_val == 'Y')) { if ((new_context = context_new(defaultcon)) == NULL) - goto fail_set; + goto fail_set; /* Allow the user to enter role and level individually */ - if (query_response(pamh, _("role:"), context_role_get(new_context), + if (query_response(pamh, _("role:"), context_role_get(new_context), &response, debug) == PAM_SUCCESS && response[0]) { if (get_default_type(response, &type)) { pam_prompt (pamh, PAM_ERROR_MSG, NULL, _("No default type for role %s\n"), response); _pam_drop(response); continue; } else { - if (context_role_set(new_context, response)) + if (context_role_set(new_context, response)) goto fail_set; if (context_type_set (new_context, type)) goto fail_set; _pam_drop(type); - } + } } _pam_drop(response); @@ -320,9 +320,9 @@ config_context (pam_handle_t *pamh, security_context_t defaultcon, int use_curre if (getcon(&mycon) != 0) goto fail_set; - my_context = context_new(mycon); + my_context = context_new(mycon); if (my_context == NULL) { - freecon(mycon); + freecon(mycon); goto fail_set; } freecon(mycon); @@ -331,11 +331,11 @@ config_context (pam_handle_t *pamh, security_context_t defaultcon, int use_curre goto fail_set; } context_free(my_context); - } else if (query_response(pamh, _("level:"), context_range_get(new_context), + } else if (query_response(pamh, _("level:"), context_range_get(new_context), &response, debug) == PAM_SUCCESS && response[0]) { if (context_range_set(new_context, response)) goto fail_set; - } + } _pam_drop(response); } @@ -355,7 +355,7 @@ config_context (pam_handle_t *pamh, security_context_t defaultcon, int use_curre if (mls_enabled && !mls_range_allowed(pamh, defaultcon, newcon, debug)) { pam_syslog(pamh, LOG_NOTICE, "Security context %s is not allowed for %s", defaultcon, newcon); - send_audit_message(pamh, 0, defaultcon, newcon); + send_audit_message(pamh, 0, defaultcon, newcon); free(newcon); goto fail_range; @@ -380,7 +380,7 @@ config_context (pam_handle_t *pamh, security_context_t defaultcon, int use_curre context_free (new_context); send_audit_message(pamh, 0, defaultcon, NULL); fail_range: - return NULL; + return NULL; } static security_context_t @@ -405,7 +405,7 @@ context_from_env (pam_handle_t *pamh, security_context_t defaultcon, int env_par pam_syslog(pamh, LOG_NOTICE, "No default type for role %s", env); goto fail_set; } else { - if (context_role_set(new_context, env)) + if (context_role_set(new_context, env)) goto fail_set; if (context_type_set(new_context, type)) goto fail_set; @@ -449,7 +449,7 @@ context_from_env (pam_handle_t *pamh, security_context_t defaultcon, int env_par if (debug) pam_syslog(pamh, LOG_NOTICE, "Selected Security Context %s", newcon); - + /* Get the string value of the context and see if it is valid. */ if (security_check_context(newcon)) { pam_syslog(pamh, LOG_NOTICE, "Not a valid security context %s", newcon); @@ -623,7 +623,7 @@ pam_sm_open_session(pam_handle_t *pamh, int flags UNUSED, env_params = 1; } } - + if (debug) pam_syslog(pamh, LOG_NOTICE, "Open Session"); @@ -656,9 +656,9 @@ pam_sm_open_session(pam_handle_t *pamh, int flags UNUSED, #else if (getseuserbyname(username, &seuser, &level) == 0) { #endif - num_contexts = get_ordered_context_list_with_level(seuser, + num_contexts = get_ordered_context_list_with_level(seuser, level, - NULL, + NULL, &contextlist); if (debug) pam_syslog(pamh, LOG_DEBUG, "Username= %s SELinux User = %s Level= %s", @@ -692,7 +692,7 @@ pam_sm_open_session(pam_handle_t *pamh, int flags UNUSED, return PAM_SUCCESS; } } - else { + else { if (seuser != NULL) { user_context = manual_context(pamh,seuser,debug); free(seuser); diff --git a/modules/pam_selinux/pam_selinux_check.8 b/modules/pam_selinux/pam_selinux_check.8 index d6fcdff1..34f578d7 100644 --- a/modules/pam_selinux/pam_selinux_check.8 +++ b/modules/pam_selinux/pam_selinux_check.8 @@ -29,7 +29,7 @@ returns an exit code of 0 for success and > 0 on error: pam_selinux(8) .SH BUGS -Let's hope not, but if you find any, please email the author. +Let's hope not, but if you find any, please email the author. .SH AUTHOR Dan Walsh -- cgit v1.2.3 From c9c4faaf50c66d5e4d1b9d6c450c206c12f09f8a Mon Sep 17 00:00:00 2001 From: "Dmitry V. Levin" Date: Thu, 27 Oct 2011 14:55:55 +0000 Subject: Rename all .cvsignore files to .gitignore --- modules/pam_selinux/.cvsignore | 11 ----------- modules/pam_selinux/.gitignore | 11 +++++++++++ 2 files changed, 11 insertions(+), 11 deletions(-) delete mode 100644 modules/pam_selinux/.cvsignore create mode 100644 modules/pam_selinux/.gitignore (limited to 'modules/pam_selinux') diff --git a/modules/pam_selinux/.cvsignore b/modules/pam_selinux/.cvsignore deleted file mode 100644 index 08754fd5..00000000 --- a/modules/pam_selinux/.cvsignore +++ /dev/null @@ -1,11 +0,0 @@ -*.la -*.lo -*.so -*~ -.deps -.libs -Makefile -Makefile.in -pam_selinux_check -README -pam_selinux.8 diff --git a/modules/pam_selinux/.gitignore b/modules/pam_selinux/.gitignore new file mode 100644 index 00000000..08754fd5 --- /dev/null +++ b/modules/pam_selinux/.gitignore @@ -0,0 +1,11 @@ +*.la +*.lo +*.so +*~ +.deps +.libs +Makefile +Makefile.in +pam_selinux_check +README +pam_selinux.8 -- cgit v1.2.3 From 3e7fb3233efe776d867be9d34b4b6e83ec59df86 Mon Sep 17 00:00:00 2001 From: "Dmitry V. Levin" Date: Thu, 27 Oct 2011 14:55:55 +0000 Subject: Update .gitignore files * .gitignore: Add common ignore patterns. * m4/.gitignore: Unignore local m4 files. * dynamic/.gitignore: Unignore Makefile. * libpamc/test/modules/.gitignore: Likewise. * libpamc/test/regress/.gitignore: Likewise. * po/.gitignore: Add Makevars.template. * conf/.gitignore: Remove common ignore patterns. * conf/pam_conv1/.gitignore: Likewise. * doc/.gitignore: Likewise. * doc/specs/.gitignore: Likewise. * doc/specs/formatter/.gitignore: Likewise. * examples/.gitignore: Likewise. * modules/pam_filter/upperLOWER/.gitignore: Likewise. * modules/pam_mkhomedir/.gitignore: Likewise. * modules/pam_selinux/.gitignore: Likewise. * modules/pam_stress/.gitignore: Likewise. * modules/pam_tally/.gitignore: Likewise. * modules/pam_tally2/.gitignore: Likewise. * modules/pam_timestamp/.gitignore: Likewise. * modules/pam_unix/.gitignore: Likewise. * tests/.gitignore: Likewise. * xtests/.gitignore: Likewise. * doc/adg/.gitignore: Remove. * doc/man/.gitignore: Remove. * doc/mwg/.gitignore: Remove. * doc/sag/.gitignore: Remove. * libpamc/.gitignore: Remove. * libpamc/test/.gitignore: Remove. * libpam/.gitignore: Remove. * libpam_misc/.gitignore: Remove. * modules/.gitignore: Remove. * modules/pam_access/.gitignore: Remove. * modules/pam_cracklib/.gitignore: Remove. * modules/pam_debug/.gitignore: Remove. * modules/pam_deny/.gitignore: Remove. * modules/pam_echo/.gitignore: Remove. * modules/pam_env/.gitignore: Remove. * modules/pam_exec/.gitignore: Remove. * modules/pam_faildelay/.gitignore: Remove. * modules/pam_filter/.gitignore: Remove. * modules/pam_ftp/.gitignore: Remove. * modules/pam_group/.gitignore: Remove. * modules/pam_issue/.gitignore: Remove. * modules/pam_keyinit/.gitignore: Remove. * modules/pam_lastlog/.gitignore: Remove. * modules/pam_limits/.gitignore: Remove. * modules/pam_listfile/.gitignore: Remove. * modules/pam_localuser/.gitignore: Remove. * modules/pam_loginuid/.gitignore: Remove. * modules/pam_mail/.gitignore: Remove. * modules/pam_motd/.gitignore: Remove. * modules/pam_namespace/.gitignore: Remove. * modules/pam_nologin/.gitignore: Remove. * modules/pam_permit/.gitignore: Remove. * modules/pam_pwhistory/.gitignore: Remove. * modules/pam_rhosts/.gitignore: Remove. * modules/pam_rootok/.gitignore: Remove. * modules/pam_securetty/.gitignore: Remove. * modules/pam_sepermit/.gitignore: Remove. * modules/pam_shells/.gitignore: Remove. * modules/pam_succeed_if/.gitignore: Remove. * modules/pam_time/.gitignore: Remove. * modules/pam_tty_audit/.gitignore: Remove. * modules/pam_umask/.gitignore: Remove. * modules/pam_userdb/.gitignore: Remove. * modules/pam_warn/.gitignore: Remove. * modules/pam_wheel/.gitignore: Remove. * modules/pam_xauth/.gitignore: Remove. --- modules/pam_selinux/.gitignore | 11 +---------- 1 file changed, 1 insertion(+), 10 deletions(-) (limited to 'modules/pam_selinux') diff --git a/modules/pam_selinux/.gitignore b/modules/pam_selinux/.gitignore index 08754fd5..6683beba 100644 --- a/modules/pam_selinux/.gitignore +++ b/modules/pam_selinux/.gitignore @@ -1,11 +1,2 @@ -*.la -*.lo -*.so -*~ -.deps -.libs -Makefile -Makefile.in pam_selinux_check -README -pam_selinux.8 +!pam_selinux_check.8 -- cgit v1.2.3 From 61a6b8c8e850ec1589e01accf15f3bce2c80d494 Mon Sep 17 00:00:00 2001 From: "Dmitry V. Levin" Date: Fri, 28 Oct 2011 02:20:17 +0000 Subject: Fix usage of LIBADD, LDADD and LDFLAGS * modules/pam_selinux/Makefile.am: Rename pam_selinux_check_LDFLAGS to pam_selinux_check_LDADD. * modules/pam_userdb/Makefile.am: Split out pam_userdb_la_LIBADD from AM_LDFLAGS. * modules/pam_warn/Makefile.am: Split out pam_warn_la_LIBADD from AM_LDFLAGS. * modules/pam_wheel/Makefile.am: Split out pam_wheel_la_LIBADD from AM_LDFLAGS. * modules/pam_xauth/Makefile.am: split out pam_xauth_la_LIBADD from AM_LDFLAGS. * xtests/Makefile.am: Rename AM_LDFLAGS to LDADD. --- modules/pam_selinux/Makefile.am | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) (limited to 'modules/pam_selinux') diff --git a/modules/pam_selinux/Makefile.am b/modules/pam_selinux/Makefile.am index ef142f4e..48709ef5 100644 --- a/modules/pam_selinux/Makefile.am +++ b/modules/pam_selinux/Makefile.am @@ -21,12 +21,8 @@ secureconfdir = $(SCONFIGDIR) AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ -I$(top_srcdir)/libpam_misc/include -pam_selinux_check_LDFLAGS = $(AM_LDFLAGS) \ - -L$(top_builddir)/libpam -lpam \ - -L$(top_builddir)/libpam_misc -lpam_misc - -pam_selinux_la_LIBADD = -L$(top_builddir)/libpam -lpam @LIBSELINUX@ @LIBAUDIT@ pam_selinux_la_LDFLAGS = -no-undefined -avoid-version -module +pam_selinux_la_LIBADD = -L$(top_builddir)/libpam -lpam @LIBSELINUX@ @LIBAUDIT@ if HAVE_VERSIONING pam_selinux_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map endif @@ -34,6 +30,8 @@ endif if HAVE_LIBSELINUX securelib_LTLIBRARIES = pam_selinux.la noinst_PROGRAMS = pam_selinux_check + pam_selinux_check_LDADD = -L$(top_builddir)/libpam -lpam \ + -L$(top_builddir)/libpam_misc -lpam_misc endif if ENABLE_REGENERATE_MAN noinst_DATA = README pam_selinux.8 -- cgit v1.2.3 From dc8b23cf9228ed432e9b7b2ee2209a06283241c0 Mon Sep 17 00:00:00 2001 From: "Dmitry V. Levin" Date: Fri, 28 Oct 2011 02:28:38 +0000 Subject: Use libpam.la/libpam_misc.la to link with -lpam/-lpam_misc GNU automake documentation recommends to avoid using -l options in LDADD or LIBADD when referring to libraries built by the package. Instead, it recommends to write the file name of the library explicitly, and use -l option only to list third-party libraries. As result, the default value of *_DEPENDENCIES will list all local libraries and omit the other ones. * modules/pam_access/Makefile.am (pam_access_la_LIBADD): Replace "-L$(top_builddir)/libpam -lpam" with "$(top_builddir)/libpam/libpam.la", to follow GNU automake recommendations. * modules/pam_cracklib/Makefile.am (pam_cracklib_la_LIBADD): Likewise. * modules/pam_debug/Makefile.am (pam_debug_la_LIBADD): Likewise. * modules/pam_deny/Makefile.am (pam_deny_la_LIBADD): Likewise. * modules/pam_echo/Makefile.am (pam_echo_la_LIBADD): Likewise. * modules/pam_env/Makefile.am (pam_env_la_LIBADD): Likewise. * modules/pam_exec/Makefile.am (pam_exec_la_LIBADD): Likewise. * modules/pam_faildelay/Makefile.am (pam_faildelay_la_LIBADD): Likewise. * modules/pam_filter/Makefile.am (pam_filter_la_LIBADD): Likewise. * modules/pam_filter/upperLOWER/Makefile.am (LDADD): Likewise. * modules/pam_ftp/Makefile.am (pam_ftp_la_LIBADD): Likewise. * modules/pam_group/Makefile.am (pam_group_la_LIBADD): Likewise. * modules/pam_issue/Makefile.am (pam_issue_la_LIBADD): Likewise. * modules/pam_keyinit/Makefile.am (pam_keyinit_la_LIBADD): Likewise. * modules/pam_lastlog/Makefile.am (pam_lastlog_la_LIBADD): Likewise. * modules/pam_limits/Makefile.am (pam_limits_la_LIBADD): Likewise. * modules/pam_listfile/Makefile.am (pam_listfile_la_LIBADD): Likewise. * modules/pam_localuser/Makefile.am (pam_localuser_la_LIBADD): Likewise. * modules/pam_loginuid/Makefile.am (pam_loginuid_la_LIBADD): Likewise. * modules/pam_mail/Makefile.am (pam_mail_la_LIBADD): Likewise. * modules/pam_mkhomedir/Makefile.am (pam_mkhomedir_la_LIBADD, mkhomedir_helper_LDADD): Likewise. * modules/pam_motd/Makefile.am (pam_motd_la_LIBADD): Likewise. * modules/pam_namespace/Makefile.am (pam_namespace_la_LIBADD): Likewise. * modules/pam_nologin/Makefile.am (pam_nologin_la_LIBADD): Likewise. * modules/pam_permit/Makefile.am (pam_permit_la_LIBADD): Likewise. * modules/pam_pwhistory/Makefile.am (pam_pwhistory_la_LIBADD): Likewise. * modules/pam_rhosts/Makefile.am (pam_rhosts_la_LIBADD): Likewise. * modules/pam_rootok/Makefile.am (pam_rootok_la_LIBADD): Likewise. * modules/pam_securetty/Makefile.am (pam_securetty_la_LIBADD): Likewise. * modules/pam_sepermit/Makefile.am (pam_sepermit_la_LIBADD): Likewise. * modules/pam_shells/Makefile.am (pam_shells_la_LIBADD): Likewise. * modules/pam_stress/Makefile.am (pam_stress_la_LIBADD): Likewise. * modules/pam_succeed_if/Makefile.am (pam_succeed_if_la_LIBADD): Likewise. * modules/pam_tally/Makefile.am (pam_tally_la_LIBADD): Likewise. * modules/pam_tally2/Makefile.am (pam_tally2_la_LIBADD, pam_tally2_LDADD): Likewise. * modules/pam_time/Makefile.am (pam_time_la_LIBADD): Likewise. * modules/pam_timestamp/Makefile.am (pam_timestamp_la_LIBADD, pam_timestamp_check_LDADD, hmacfile_LDADD): Likewise. * modules/pam_tty_audit/Makefile.am (pam_tty_audit_la_LIBADD): Likewise. * modules/pam_umask/Makefile.am (pam_umask_la_LIBADD): Likewise. * modules/pam_unix/Makefile.am (pam_unix_la_LIBADD): Likewise. * modules/pam_userdb/Makefile.am (pam_userdb_la_LIBADD): Likewise. * modules/pam_warn/Makefile.am (pam_warn_la_LIBADD): Likewise. * modules/pam_wheel/Makefile.am (pam_wheel_la_LIBADD): Likewise. * modules/pam_xauth/Makefile.am (pam_xauth_la_LIBADD): Likewise. * tests/Makefile.am (LDADD): Likewise. * examples/Makefile.am (LDADD): Replace "-L$(top_builddir)/libpam -lpam" with "$(top_builddir)/libpam/libpam.la", and "-L$(top_builddir)/libpam_misc -lpam_misc" with "$(top_builddir)/libpam_misc/libpam_misc.la", to follow GNU automake recommendations. * xtests/Makefile.am (LDADD): Likewise. * modules/pam_selinux/Makefile.am (pam_selinux_la_LIBADD): Likewise. --- modules/pam_selinux/Makefile.am | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'modules/pam_selinux') diff --git a/modules/pam_selinux/Makefile.am b/modules/pam_selinux/Makefile.am index 48709ef5..28c60d84 100644 --- a/modules/pam_selinux/Makefile.am +++ b/modules/pam_selinux/Makefile.am @@ -22,7 +22,7 @@ AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ -I$(top_srcdir)/libpam_misc/include pam_selinux_la_LDFLAGS = -no-undefined -avoid-version -module -pam_selinux_la_LIBADD = -L$(top_builddir)/libpam -lpam @LIBSELINUX@ @LIBAUDIT@ +pam_selinux_la_LIBADD = $(top_builddir)/libpam/libpam.la @LIBSELINUX@ @LIBAUDIT@ if HAVE_VERSIONING pam_selinux_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map endif @@ -30,8 +30,8 @@ endif if HAVE_LIBSELINUX securelib_LTLIBRARIES = pam_selinux.la noinst_PROGRAMS = pam_selinux_check - pam_selinux_check_LDADD = -L$(top_builddir)/libpam -lpam \ - -L$(top_builddir)/libpam_misc -lpam_misc + pam_selinux_check_LDADD = $(top_builddir)/libpam/libpam.la \ + $(top_builddir)/libpam_misc/libpam_misc.la endif if ENABLE_REGENERATE_MAN noinst_DATA = README pam_selinux.8 -- cgit v1.2.3 From d39e8e553683fa9816bf54679ee5b963493f46f2 Mon Sep 17 00:00:00 2001 From: "Dmitry V. Levin" Date: Tue, 19 Oct 2010 23:34:51 +0000 Subject: pam_selinux.c: rewrite using pam_get_data/pam_set_data * modules/pam_selinux/pam_selinux.c (security_restorelabel_tty, security_label_tty): Remove old functions. (module_data_t): New structure. (free_module_data, cleanup, get_module_data, get_item, set_exec_context, set_file_context, compute_exec_context, compute_tty_context, restore_context, set_context, create_context): New functions. (pam_sm_authenticate, pam_sm_setcred, pam_sm_open_session, pam_sm_close_session): Use them. --- modules/pam_selinux/pam_selinux.c | 602 +++++++++++++++++++++----------------- 1 file changed, 336 insertions(+), 266 deletions(-) (limited to 'modules/pam_selinux') diff --git a/modules/pam_selinux/pam_selinux.c b/modules/pam_selinux/pam_selinux.c index b777b01e..a8f540dd 100644 --- a/modules/pam_selinux/pam_selinux.c +++ b/modules/pam_selinux/pam_selinux.c @@ -480,139 +480,301 @@ context_from_env (pam_handle_t *pamh, security_context_t defaultcon, int env_par return newcon; } +#define DATANAME "pam_selinux_context" +typedef struct { + security_context_t exec_context; + security_context_t prev_exec_context; + security_context_t default_user_context; + security_context_t tty_context; + security_context_t prev_tty_context; + char *tty_path; +} module_data_t; + static void -security_restorelabel_tty(const pam_handle_t *pamh, - const char *tty, security_context_t context) +free_module_data(module_data_t *data) +{ + free(data->tty_path); + freecon(data->prev_tty_context); + freecon(data->tty_context); + freecon(data->default_user_context); + freecon(data->prev_exec_context); + if (data->exec_context != data->default_user_context) + freecon(data->exec_context); + memset(data, 0, sizeof(*data)); + free(data); +} + +static void +cleanup(pam_handle_t *pamh UNUSED, void *data, int err UNUSED) +{ + free_module_data(data); +} + +static const module_data_t * +get_module_data(const pam_handle_t *pamh) +{ + const void *data; + + return (pam_get_data(pamh, DATANAME, &data) == PAM_SUCCESS) ? data : NULL; +} + +static const char * +get_item(const pam_handle_t *pamh, int item_type) +{ + const void *item; + + return (pam_get_item(pamh, item_type, &item) == PAM_SUCCESS) ? item : NULL; +} + +static int +set_exec_context(const pam_handle_t *pamh, security_context_t context) +{ + if (setexeccon(context) == 0) + return 0; + pam_syslog(pamh, LOG_ERR, "Setting executable context \"%s\" failed: %m", + context ? context : ""); + return -1; +} + +static int +set_file_context(const pam_handle_t *pamh, security_context_t context, + const char *file) +{ + if (!file) + return 0; + if (setfilecon(file, context) == 0 || errno == ENOENT) + return 0; + pam_syslog(pamh, LOG_ERR, "Setting file context \"%s\" failed for %s: %m", + context ? context : "", file); + return -1; +} + +static int +compute_exec_context(pam_handle_t *pamh, module_data_t *data, + int select_context, int use_current_range, + int env_params, int debug) { - char ttybuf[PATH_MAX]; - const char *ptr; + const char *username; - if (context==NULL) - return; +#ifdef HAVE_GETSEUSER + const char *service; +#endif + char *seuser = NULL; + char *level = NULL; + security_context_t *contextlist = NULL; + int num_contexts = 0; - if(strncmp("/dev/", tty, 5)) { - snprintf(ttybuf,sizeof(ttybuf),"/dev/%s",tty); - ptr = ttybuf; + if (!(username = get_item(pamh, PAM_USER))) { + pam_syslog(pamh, LOG_ERR, "Cannot obtain the user name"); + return PAM_USER_UNKNOWN; } - else - ptr = tty; - if (setfilecon(ptr, context) && errno != ENOENT) - { - pam_syslog(pamh, LOG_NOTICE, - "Warning! Could not relabel %s with %s, not relabeling: %m", - ptr, context); + /* compute execute context */ +#ifdef HAVE_GETSEUSER + if (!(service = get_item(pamh, PAM_SERVICE))) { + pam_syslog(pamh, LOG_ERR, "Cannot obtain the service name"); + return PAM_SESSION_ERR; + } + if (getseuser(username, service, &seuser, &level) == 0) { +#else + if (getseuserbyname(username, &seuser, &level) == 0) { +#endif + num_contexts = get_ordered_context_list_with_level(seuser, level, NULL, + &contextlist); + if (debug) + pam_syslog(pamh, LOG_DEBUG, "Username= %s SELinux User= %s Level= %s", + username, seuser, level); + free(level); + } + if (num_contexts > 0) { + free(seuser); + data->default_user_context = strdup(contextlist[0]); + freeconary(contextlist); + if (!data->default_user_context) { + pam_syslog(pamh, LOG_ERR, "Out of memory"); + return PAM_BUF_ERR; + } + + data->exec_context = data->default_user_context; + if (select_context) + data->exec_context = config_context(pamh, data->default_user_context, + use_current_range, debug); + else if (env_params || use_current_range) + data->exec_context = context_from_env(pamh, data->default_user_context, + env_params, use_current_range, + debug); + } else { + if (seuser) { + data->exec_context = manual_context(pamh, seuser, debug); + free(seuser); + } } + + if (!data->exec_context) { + pam_syslog(pamh, LOG_ERR, "Unable to get valid context for %s", username); + pam_prompt(pamh, PAM_ERROR_MSG, NULL, + _("Unable to get valid context for %s"), username); + } + + if (getexeccon(&data->prev_exec_context) < 0) + data->prev_exec_context = NULL; + + return PAM_SUCCESS; } -static security_context_t -security_label_tty(pam_handle_t *pamh, char *tty, - security_context_t usercon) +static int +compute_tty_context(const pam_handle_t *pamh, module_data_t *data) { - char ttybuf[PATH_MAX]; - int status=0; - security_context_t newdev_context=NULL; /* The new context of a device */ - security_context_t prev_context=NULL; /* The new context of a device */ - const char *ptr; - - if(strncmp("/dev/", tty, 5)) - { - snprintf(ttybuf,sizeof(ttybuf),"/dev/%s",tty); - ptr = ttybuf; + const char *tty = get_item(pamh, PAM_TTY); + + if (!tty || !*tty || !strcmp(tty, "ssh") || !strncmp(tty, "NODEV", 5)) { + tty = ttyname(STDIN_FILENO); + if (!tty || !*tty) + tty = ttyname(STDOUT_FILENO); + if (!tty || !*tty) + tty = ttyname(STDERR_FILENO); + if (!tty || !*tty) + return PAM_SUCCESS; } - else - ptr = tty; - - if (getfilecon(ptr, &prev_context) < 0) - { - if(errno != ENOENT) - pam_syslog(pamh, LOG_NOTICE, - "Warning! Could not get current context for %s, not relabeling: %m", - ptr); - return NULL; + + if (strncmp("/dev/", tty, 5)) { + if (asprintf(&data->tty_path, "%s%s", "/dev/", tty) < 0) + data->tty_path = NULL; + } else { + data->tty_path = strdup(tty); } - if( security_compute_relabel(usercon,prev_context,SECCLASS_CHR_FILE, - &newdev_context)!=0) - { - pam_syslog(pamh, LOG_NOTICE, - "Warning! Could not get new context for %s, not relabeling: %m", - ptr); - pam_syslog(pamh, LOG_NOTICE, - "usercon=%s, prev_context=%s", usercon, prev_context); - freecon(prev_context); - return NULL; + + if (!data->tty_path) { + pam_syslog(pamh, LOG_ERR, "Out of memory"); + return PAM_BUF_ERR; } - status=setfilecon(ptr,newdev_context); - if (status) - { - pam_syslog(pamh, LOG_NOTICE, - "Warning! Could not relabel %s with %s, not relabeling: %m", - ptr,newdev_context); - freecon(prev_context); - prev_context=NULL; + + if (getfilecon(data->tty_path, &data->prev_tty_context) < 0) { + data->prev_tty_context = NULL; + if (errno == ENOENT) { + free(data->tty_path); + data->tty_path = NULL; + return PAM_SUCCESS; + } + pam_syslog(pamh, LOG_ERR, "Failed to get current context for %s: %m", + data->tty_path); + return (security_getenforce() == 1) ? PAM_SESSION_ERR : PAM_SUCCESS; } - freecon(newdev_context); - return prev_context; -} -static security_context_t user_context=NULL; -static security_context_t prev_user_context=NULL; -static security_context_t ttyn_context=NULL; /* The current context of ttyn device */ -static int selinux_enabled=0; -static char *ttyn=NULL; + if (security_compute_relabel(data->exec_context, data->prev_tty_context, + SECCLASS_CHR_FILE, &data->tty_context)) { + data->tty_context = NULL; + pam_syslog(pamh, LOG_ERR, "Failed to compute new context for %s: %m", + data->tty_path); + freecon(data->prev_tty_context); + data->prev_tty_context = NULL; + free(data->tty_path); + data->tty_path = NULL; + return (security_getenforce() == 1) ? PAM_SESSION_ERR : PAM_SUCCESS; + } -PAM_EXTERN int -pam_sm_authenticate(pam_handle_t *pamh UNUSED, int flags UNUSED, - int argc UNUSED, const char **argv UNUSED) + return PAM_SUCCESS; +} + +static int +restore_context(const pam_handle_t *pamh, const module_data_t *data, int debug) { - /* Fail by default. */ - return PAM_AUTH_ERR; + int err; + + if (!data) { + if (debug) + pam_syslog(pamh, LOG_NOTICE, "No context to restore"); + return PAM_SUCCESS; + } + + if (debug && data->tty_path) + pam_syslog(pamh, LOG_NOTICE, + "Restore file context of tty %s: [%s] -> [%s]", + data->tty_path, + data->tty_context ? data->tty_context : "", + data->prev_tty_context ? data->prev_tty_context : ""); + err = set_file_context(pamh, data->prev_tty_context, data->tty_path); + + if (debug) + pam_syslog(pamh, LOG_NOTICE, "Restore executable context: [%s] -> [%s]", + data->exec_context, + data->prev_exec_context ? data->prev_exec_context : ""); + err |= set_exec_context(pamh, data->prev_exec_context); + + if (err && security_getenforce() == 1) + return PAM_SESSION_ERR; + + return PAM_SUCCESS; } -PAM_EXTERN int -pam_sm_setcred(pam_handle_t *pamh UNUSED, int flags UNUSED, - int argc UNUSED, const char **argv UNUSED) +static int +set_context(pam_handle_t *pamh, const module_data_t *data, + int debug, int verbose) { - return PAM_SUCCESS; + int rc, err; + + if (debug && data->tty_path) + pam_syslog(pamh, LOG_NOTICE, "Set file context of tty %s: [%s] -> [%s]", + data->tty_path, + data->prev_tty_context ? data->prev_tty_context : "", + data->tty_context ? data->tty_context : ""); + err = set_file_context(pamh, data->tty_context, data->tty_path); + + if (debug) + pam_syslog(pamh, LOG_NOTICE, "Set executable context: [%s] -> [%s]", + data->prev_exec_context ? data->prev_exec_context : "", + data->exec_context); + rc = set_exec_context(pamh, data->exec_context); + err |= rc; + + send_audit_message(pamh, !rc, data->default_user_context, data->exec_context); + if (verbose && !rc) { + char msg[PATH_MAX]; + + snprintf(msg, sizeof(msg), + _("Security Context %s Assigned"), data->exec_context); + send_text(pamh, msg, debug); + } +#ifdef HAVE_SETKEYCREATECON + if (debug) + pam_syslog(pamh, LOG_NOTICE, "Set key creation context to %s", + data->exec_context ? data->exec_context : ""); + rc = setkeycreatecon(data->exec_context); + err |= rc; + if (rc) + pam_syslog(pamh, LOG_ERR, "Setting key creation context %s failed: %m", + data->exec_context ? data->exec_context : ""); + if (verbose && !rc) { + char msg[PATH_MAX]; + + snprintf(msg, sizeof(msg), + _("Key Creation Context %s Assigned"), data->exec_context); + send_text(pamh, msg, debug); + } +#endif + + if (err && security_getenforce() == 1) + return PAM_SESSION_ERR; + + return PAM_SUCCESS; } -PAM_EXTERN int -pam_sm_open_session(pam_handle_t *pamh, int flags UNUSED, - int argc, const char **argv) +static int +create_context(pam_handle_t *pamh, int argc, const char **argv, + int debug, int verbose) { - int i, debug = 0, ttys=1; - int verbose=0, close_session=0; + int i; + int ttys = 1; int select_context = 0; int use_current_range = 0; - int ret = 0; - security_context_t* contextlist = NULL; - int num_contexts = 0; int env_params = 0; - const char *username; - const void *void_username; - const void *tty = NULL; - char *seuser=NULL; - char *level=NULL; - security_context_t default_user_context=NULL; -#ifdef HAVE_GETSEUSER - const void *void_service; - const char *service; -#endif + module_data_t *data; /* Parse arguments. */ for (i = 0; i < argc; i++) { - if (strcmp(argv[i], "debug") == 0) { - debug = 1; - } if (strcmp(argv[i], "nottys") == 0) { ttys = 0; } - if (strcmp(argv[i], "verbose") == 0) { - verbose = 1; - } - if (strcmp(argv[i], "close") == 0) { - close_session = 1; - } if (strcmp(argv[i], "select_context") == 0) { select_context = 1; } @@ -624,171 +786,103 @@ pam_sm_open_session(pam_handle_t *pamh, int flags UNUSED, } } - if (debug) - pam_syslog(pamh, LOG_NOTICE, "Open Session"); + if (is_selinux_enabled() <= 0) { + if (debug) + pam_syslog(pamh, LOG_NOTICE, "SELinux is not enabled"); + return PAM_SUCCESS; + } if (select_context && env_params) { - pam_syslog(pamh, LOG_ERR, "select_context cannot be used with env_params"); + pam_syslog(pamh, LOG_ERR, + "select_context cannot be used with env_params"); select_context = 0; } - /* this module is only supposed to execute close_session */ - if (close_session) - return PAM_SUCCESS; + if (!(data = calloc(1, sizeof(*data)))) { + pam_syslog(pamh, LOG_ERR, "Out of memory"); + return PAM_BUF_ERR; + } - if (!(selinux_enabled = is_selinux_enabled()>0) ) - return PAM_SUCCESS; + i = compute_exec_context(pamh, data, select_context, use_current_range, + env_params, debug); + if (i != PAM_SUCCESS) { + free_module_data(data); + return i; + } - if (pam_get_item(pamh, PAM_USER, &void_username) != PAM_SUCCESS || - void_username == NULL) { - return PAM_USER_UNKNOWN; + if (!data->exec_context) { + free_module_data(data); + return (security_getenforce() == 1) ? PAM_SESSION_ERR : PAM_SUCCESS; } - username = void_username; -#ifdef HAVE_GETSEUSER - if (pam_get_item(pamh, PAM_SERVICE, (void *) &void_service) != PAM_SUCCESS || - void_service == NULL) { - return PAM_SESSION_ERR; + if (ttys && (i = compute_tty_context(pamh, data)) != PAM_SUCCESS) { + free_module_data(data); + return i; } - service = void_service; - if (getseuser(username, service, &seuser, &level) == 0) { -#else - if (getseuserbyname(username, &seuser, &level) == 0) { -#endif - num_contexts = get_ordered_context_list_with_level(seuser, - level, - NULL, - &contextlist); - if (debug) - pam_syslog(pamh, LOG_DEBUG, "Username= %s SELinux User = %s Level= %s", - username, seuser, level); - free(level); + if ((i = pam_set_data(pamh, DATANAME, data, cleanup)) != PAM_SUCCESS) { + pam_syslog(pamh, LOG_ERR, "Error saving context: %m"); + free_module_data(data); + return i; } - if (num_contexts > 0) { - free(seuser); - default_user_context=strdup(contextlist[0]); - freeconary(contextlist); - if (default_user_context == NULL) { - pam_syslog(pamh, LOG_ERR, "Out of memory"); - return PAM_BUF_ERR; - } - user_context = default_user_context; - if (select_context) { - user_context = config_context(pamh, default_user_context, use_current_range, debug); - } else if (env_params || use_current_range) { - user_context = context_from_env(pamh, default_user_context, env_params, use_current_range, debug); - } + return set_context(pamh, data, debug, verbose); +} - if (user_context == NULL) { - freecon(default_user_context); - pam_syslog(pamh, LOG_ERR, "Unable to get valid context for %s", - username); - pam_prompt (pamh, PAM_ERROR_MSG, NULL, _("Unable to get valid context for %s"), username); - if (security_getenforce() == 1) - return PAM_AUTH_ERR; - else - return PAM_SUCCESS; - } - } - else { - if (seuser != NULL) { - user_context = manual_context(pamh,seuser,debug); - free(seuser); - } - if (user_context == NULL) { - pam_syslog (pamh, LOG_ERR, "Unable to get valid context for %s", - username); - if (security_getenforce() == 1) - return PAM_AUTH_ERR; - else - return PAM_SUCCESS; - } - } +PAM_EXTERN int +pam_sm_authenticate(pam_handle_t *pamh UNUSED, int flags UNUSED, + int argc UNUSED, const char **argv UNUSED) +{ + /* Fail by default. */ + return PAM_AUTH_ERR; +} - if (getexeccon(&prev_user_context)<0) { - prev_user_context=NULL; - } - if (ttys) { - /* Get the name of the terminal. */ - if (pam_get_item(pamh, PAM_TTY, &tty) != PAM_SUCCESS) { - tty = NULL; - } +PAM_EXTERN int +pam_sm_setcred(pam_handle_t *pamh UNUSED, int flags UNUSED, + int argc UNUSED, const char **argv UNUSED) +{ + return PAM_SUCCESS; +} - if ((tty == NULL) || (strlen(tty) == 0) || - strcmp(tty, "ssh") == 0 || strncmp(tty, "NODEV", 5) == 0) { - tty = ttyname(STDIN_FILENO); - if ((tty == NULL) || (strlen(tty) == 0)) { - tty = ttyname(STDOUT_FILENO); - } - if ((tty == NULL) || (strlen(tty) == 0)) { - tty = ttyname(STDERR_FILENO); - } +PAM_EXTERN int +pam_sm_open_session(pam_handle_t *pamh, int flags UNUSED, + int argc, const char **argv) +{ + const module_data_t *data; + int i, debug = 0, verbose = 0, close_session = 0; + + /* Parse arguments. */ + for (i = 0; i < argc; i++) { + if (strcmp(argv[i], "debug") == 0) { + debug = 1; } - } - if (ttys && tty) { - ttyn=strdup(tty); - ttyn_context=security_label_tty(pamh,ttyn,user_context); - } - send_audit_message(pamh, 1, default_user_context, user_context); - if (default_user_context != user_context) { - freecon(default_user_context); - } - ret = setexeccon(user_context); - if (ret==0 && verbose) { - char msg[PATH_MAX]; - snprintf(msg, sizeof(msg), - _("Security Context %s Assigned"), user_context); - send_text(pamh, msg, debug); - } - if (ret) { - pam_syslog(pamh, LOG_ERR, - "Error! Unable to set %s executable context %s.", - username, user_context); - if (security_getenforce() == 1) { - freecon(user_context); - return PAM_AUTH_ERR; + if (strcmp(argv[i], "verbose") == 0) { + verbose = 1; } - } else { - if (debug) - pam_syslog(pamh, LOG_NOTICE, "set %s security context to %s", - username, user_context); - } -#ifdef HAVE_SETKEYCREATECON - ret = setkeycreatecon(user_context); - if (ret==0 && verbose) { - char msg[PATH_MAX]; - snprintf(msg, sizeof(msg), - _("Key Creation Context %s Assigned"), user_context); - send_text(pamh, msg, debug); - } - if (ret) { - pam_syslog(pamh, LOG_ERR, - "Error! Unable to set %s key creation context %s.", - username, user_context); - if (security_getenforce() == 1) { - freecon(user_context); - return PAM_AUTH_ERR; + if (strcmp(argv[i], "close") == 0) { + close_session = 1; } - } else { - if (debug) - pam_syslog(pamh, LOG_NOTICE, "set %s key creation context to %s", - username, user_context); } -#endif - freecon(user_context); - return PAM_SUCCESS; + if (debug) + pam_syslog(pamh, LOG_NOTICE, "Open Session"); + + /* Is this module supposed to execute close_session only? */ + if (close_session) + return PAM_SUCCESS; + + data = get_module_data(pamh); + + /* If there is a saved context, this module is supposed to set it again. */ + return data ? set_context(pamh, data, debug, verbose) : + create_context(pamh, argc, argv, debug, verbose); } PAM_EXTERN int pam_sm_close_session(pam_handle_t *pamh, int flags UNUSED, int argc, const char **argv) { - int i, debug = 0, status = PAM_SUCCESS, open_session = 0; - if (! (selinux_enabled )) - return PAM_SUCCESS; + int i, debug = 0, open_session = 0; /* Parse arguments. */ for (i = 0; i < argc; i++) { @@ -803,34 +897,10 @@ pam_sm_close_session(pam_handle_t *pamh, int flags UNUSED, if (debug) pam_syslog(pamh, LOG_NOTICE, "Close Session"); + /* Is this module supposed to execute open_session only? */ if (open_session) return PAM_SUCCESS; - if (ttyn) { - if (debug) - pam_syslog(pamh, LOG_NOTICE, "Restore tty %s -> %s", - ttyn,ttyn_context); - - security_restorelabel_tty(pamh,ttyn,ttyn_context); - freecon(ttyn_context); - free(ttyn); - ttyn=NULL; - } - - if (setexeccon(prev_user_context)) { - pam_syslog(pamh, LOG_ERR, "Unable to restore executable context %s.", - prev_user_context ? prev_user_context : ""); - if (security_getenforce() == 1) - status = PAM_AUTH_ERR; - else - status = PAM_SUCCESS; - } else if (debug) - pam_syslog(pamh, LOG_NOTICE, "Executable context back to original"); - - if (prev_user_context) { - freecon(prev_user_context); - prev_user_context = NULL; - } - - return status; + /* Restore original context. */ + return restore_context(pamh, get_module_data(pamh), debug); } -- cgit v1.2.3 From cffedb98666140013497524064d3098c11461ff1 Mon Sep 17 00:00:00 2001 From: "Dmitry V. Levin" Date: Tue, 19 Oct 2010 23:34:52 +0000 Subject: pam_selinux.c: add "restore" option * modules/pam_selinux/pam_selinux.c (pam_sm_open_session): Add new "restore" option. --- modules/pam_selinux/pam_selinux.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) (limited to 'modules/pam_selinux') diff --git a/modules/pam_selinux/pam_selinux.c b/modules/pam_selinux/pam_selinux.c index a8f540dd..d66ccb46 100644 --- a/modules/pam_selinux/pam_selinux.c +++ b/modules/pam_selinux/pam_selinux.c @@ -849,7 +849,7 @@ pam_sm_open_session(pam_handle_t *pamh, int flags UNUSED, int argc, const char **argv) { const module_data_t *data; - int i, debug = 0, verbose = 0, close_session = 0; + int i, debug = 0, verbose = 0, close_session = 0, restore = 0; /* Parse arguments. */ for (i = 0; i < argc; i++) { @@ -862,6 +862,9 @@ pam_sm_open_session(pam_handle_t *pamh, int flags UNUSED, if (strcmp(argv[i], "close") == 0) { close_session = 1; } + if (strcmp(argv[i], "restore") == 0) { + restore = 1; + } } if (debug) @@ -873,6 +876,10 @@ pam_sm_open_session(pam_handle_t *pamh, int flags UNUSED, data = get_module_data(pamh); + /* Is this module supposed only to restore original context? */ + if (restore) + return restore_context(pamh, data, debug); + /* If there is a saved context, this module is supposed to set it again. */ return data ? set_context(pamh, data, debug, verbose) : create_context(pamh, argc, argv, debug, verbose); -- cgit v1.2.3 From aea290af6d2de6a493e952b9ef8c771ab9014fef Mon Sep 17 00:00:00 2001 From: "Dmitry V. Levin" Date: Tue, 19 Oct 2010 23:34:52 +0000 Subject: pam_selinux.8.xml: update * modules/pam_selinux/pam_selinux.8.xml (pam_selinux-cmdsynopsis): Reorder options, add new "restore" option. pam_selinux-description): Rewrite. (pam_selinux-options): Reorder options, describe new "restore" option. (pam_selinux-return_values): Remove PAM_AUTH_ERR, PAM_SESSION_ERR and PAM_BUF_ERR. (pam_selinux-see_also): Remove pam.conf(5). Add execve(2), tty(4) and selinux(8). --- modules/pam_selinux/pam_selinux.8.xml | 113 ++++++++++++++++++++++------------ 1 file changed, 74 insertions(+), 39 deletions(-) (limited to 'modules/pam_selinux') diff --git a/modules/pam_selinux/pam_selinux.8.xml b/modules/pam_selinux/pam_selinux.8.xml index 2c1cdb24..28d465f5 100644 --- a/modules/pam_selinux/pam_selinux.8.xml +++ b/modules/pam_selinux/pam_selinux.8.xml @@ -19,17 +19,20 @@ pam_selinux.so - close + open - debug + close - open + restore nottys + + debug + verbose @@ -48,26 +51,31 @@ DESCRIPTION - In a nutshell, pam_selinux sets up the default security context for the - next execed shell. + pam_selinux is a PAM module that sets up the default SELinux security + context for the next executed process. + + + When a new session is started, the open_session part of the module + computes and sets up the execution security context used for the next + + execve2 + + call, the file security context for the controlling terminal, and + the security context used for creating a new kernel keyring. - When an application opens a session using pam_selinux, the shell that - gets executed will be run in the default security context, or if the - user chooses and the pam file allows the selected security context. - Also the controlling tty will have it's security context modified to - match the users. + When the session is ended, the close_session part of the module restores + old security contexts that were in effect before the change made + by the open_session part of the module. - Adding pam_selinux into a pam file could cause other pam modules to - change their behavior if the exec another application. The close and - open option help mitigate this problem. close option will only cause - the close portion of the pam_selinux to execute, and open will only - cause the open portion to run. You can add pam_selinux to the config - file twice. Add the pam_selinux close as the executes the open pass - through the modules, pam_selinux open_session will happen last. - When PAM executes the close pass through the modules pam_selinux - close_session will happen first. + Adding pam_selinux into the PAM stack might disrupt behavior of other + PAM modules which execute applications. To avoid that, + pam_selinux.so open should be placed after such + modules in the PAM stack, and pam_selinux.so close + should be placed before them. When such a placement is not feasible, + pam_selinux.so restore could be used to temporary + restore original security contexts. @@ -76,34 +84,34 @@ - + - Only execute the close_session portion of the module. + Only execute the open_session part of the module. - + - Turns on debugging via - - syslog3 - . + Only execute the close_session part of the module. - + - Only execute the open_session portion of the module. + In open_session part of the module, temporarily restore the + security contexts as they were before the previous call of + the module. Another call of this module without the restore + option will set up the new security contexts again. @@ -113,7 +121,20 @@ - Do not try to setup the ttys security context. + Do not setup security context of the controlling terminal. + + + + + + + + + + Turn on debug messages via + + syslog3 + . @@ -123,7 +144,7 @@ - attempt to inform the user when security context is set. + Attempt to inform the user when security context is set. @@ -134,7 +155,7 @@ Attempt to ask the user for a custom security context role. - If MLS is on ask also for sensitivity level. + If MLS is on, ask also for sensitivity level. @@ -145,11 +166,11 @@ Attempt to obtain a custom security context role from PAM environment. - If MLS is on obtain also sensitivity level. This option and the - select_context option are mutually exclusive. The respective PAM + If MLS is on, obtain also sensitivity level. This option and the + select_context option are mutually exclusive. The respective PAM environment variables are SELINUX_ROLE_REQUESTED, SELINUX_LEVEL_REQUESTED, and - SELINUX_USE_CURRENT_RANGE. The first two variables + SELINUX_USE_CURRENT_RANGE. The first two variables are self describing and the last one if set to 1 makes the PAM module behave as if the use_current_range was specified on the command line of the module. @@ -181,18 +202,18 @@ RETURN VALUES - PAM_AUTH_ERR + PAM_SUCCESS - Unable to get or set a valid context. + The security context was set successfully. - PAM_SUCCESS + PAM_SESSION_ERR - The security context was set successfully. + Unable to get or set a valid context. @@ -204,6 +225,14 @@ + + PAM_BUF_ERR + + + Memory allocation error. + + + @@ -220,13 +249,19 @@ session optional pam_selinux.so SEE ALSO - pam.conf5 + execve2 + , + + tty4 , pam.d5 , pam8 + , + + selinux8 -- cgit v1.2.3 From 6b2a5b9f5595f39fb919c12c52c7f3c53f33f914 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Thu, 6 Sep 2012 14:58:57 +0200 Subject: pam_selinux, pam_tally2: Add tty and rhost to audit data. modules/pam_selinux/pam_selinux.c (send_audit_message): Obtain tty and rhost from PAM items and pass them to audit. modules/pam_tally2/pam_tally2.c (tally_check): Obtain tty and rhost from PAM items and pass them to audit. (main): Obtain tty name of stdin and pass it to audit. --- modules/pam_selinux/pam_selinux.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'modules/pam_selinux') diff --git a/modules/pam_selinux/pam_selinux.c b/modules/pam_selinux/pam_selinux.c index d66ccb46..473655c5 100644 --- a/modules/pam_selinux/pam_selinux.c +++ b/modules/pam_selinux/pam_selinux.c @@ -87,6 +87,7 @@ int send_audit_message(pam_handle_t *pamh, int success, security_context_t defau int audit_fd = audit_open(); security_context_t default_raw=NULL; security_context_t selected_raw=NULL; + const void *tty = NULL, *rhost = NULL; rc = -1; if (audit_fd < 0) { if (errno == EINVAL || errno == EPROTONOSUPPORT || @@ -95,6 +96,8 @@ int send_audit_message(pam_handle_t *pamh, int success, security_context_t defau pam_syslog(pamh, LOG_ERR, "Error connecting to audit system."); return rc; } + (void)pam_get_item(pamh, PAM_TTY, &tty); + (void)pam_get_item(pamh, PAM_RHOST, &rhost); if (selinux_trans_to_raw_context(default_context, &default_raw) < 0) { pam_syslog(pamh, LOG_ERR, "Error translating default context."); default_raw = NULL; @@ -110,7 +113,7 @@ int send_audit_message(pam_handle_t *pamh, int success, security_context_t defau goto out; } if (audit_log_user_message(audit_fd, AUDIT_USER_ROLE_CHANGE, - msg, NULL, NULL, NULL, success) <= 0) { + msg, rhost, NULL, tty, success) <= 0) { pam_syslog(pamh, LOG_ERR, "Error sending audit message."); goto out; } -- cgit v1.2.3 From b2d771f1d3689fd165fe5bd1e0a6d81b31424688 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Fri, 30 Nov 2012 21:05:26 +0100 Subject: pam_selinux: Drop obsolete and unsupported manual context selection. modules/pam_selinux/pam_selinux.c (manual_context): Drop function. (compute_exec_context): Drop manual_context() call. --- modules/pam_selinux/pam_selinux.c | 80 --------------------------------------- 1 file changed, 80 deletions(-) (limited to 'modules/pam_selinux') diff --git a/modules/pam_selinux/pam_selinux.c b/modules/pam_selinux/pam_selinux.c index 473655c5..b96cc236 100644 --- a/modules/pam_selinux/pam_selinux.c +++ b/modules/pam_selinux/pam_selinux.c @@ -161,81 +161,6 @@ query_response (pam_handle_t *pamh, const char *text, const char *def, return rc; } -static security_context_t -manual_context (pam_handle_t *pamh, const char *user, int debug) -{ - security_context_t newcon=NULL; - context_t new_context; - int mls_enabled = is_selinux_mls_enabled(); - char *type=NULL; - char *response=NULL; - - while (1) { - if (query_response(pamh, - _("Would you like to enter a security context? [N] "), NULL, - &response, debug) != PAM_SUCCESS) - return NULL; - - if ((response[0] == 'y') || (response[0] == 'Y')) - { - if (mls_enabled) - new_context = context_new ("user:role:type:level"); - else - new_context = context_new ("user:role:type"); - - if (!new_context) - goto fail_set; - - if (context_user_set (new_context, user)) - goto fail_set; - - _pam_drop(response); - /* Allow the user to enter each field of the context individually */ - if (query_response(pamh, _("role:"), NULL, &response, debug) == PAM_SUCCESS && - response[0] != '\0') { - if (context_role_set (new_context, response)) - goto fail_set; - if (get_default_type(response, &type)) - goto fail_set; - if (context_type_set (new_context, type)) - goto fail_set; - _pam_drop(type); - } - _pam_drop(response); - - if (mls_enabled) - { - if (query_response(pamh, _("level:"), NULL, &response, debug) == PAM_SUCCESS && - response[0] != '\0') { - if (context_range_set (new_context, response)) - goto fail_set; - } - _pam_drop(response); - } - - /* Get the string value of the context and see if it is valid. */ - if (!security_check_context(context_str(new_context))) { - newcon = strdup(context_str(new_context)); - context_free (new_context); - return newcon; - } - else - send_text(pamh,_("Not a valid security context"),debug); - - context_free (new_context); - } - else { - _pam_drop(response); - return NULL; - } - } /* end while */ - fail_set: - free(type); - _pam_drop(response); - context_free (new_context); - return NULL; -} - static int mls_range_allowed(pam_handle_t *pamh, security_context_t src, security_context_t dst, int debug) { struct av_decision avd; @@ -606,11 +531,6 @@ compute_exec_context(pam_handle_t *pamh, module_data_t *data, data->exec_context = context_from_env(pamh, data->default_user_context, env_params, use_current_range, debug); - } else { - if (seuser) { - data->exec_context = manual_context(pamh, seuser, debug); - free(seuser); - } } if (!data->exec_context) { -- cgit v1.2.3